Bug 1190121 - (CVE-2021-32732) VUL-0: CVE-2021-32732: gtkpod: Stack overflow in embedded AtomicParsley code APar_read64
(CVE-2021-32732)
VUL-0: CVE-2021-32732: gtkpod: Stack overflow in embedded AtomicParsley code ...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: openSUSE GNOME
Security Team bot
https://smash.suse.de/issue/308824/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-02 14:34 UTC by Gabriele Sonnu
Modified: 2021-09-02 15:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-09-02 14:34:14 UTC
gtkpod embeds a vulnerable version of AtomicParsley which causes a stack overflow, however the data file used to test atomicparsley upstream is not recognised by gtkpod.

References:

https://github.com/wez/atomicparsley/issues/32
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993376

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1999793
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32732
Comment 1 Gabriele Sonnu 2021-09-02 14:34:40 UTC
Affected packages:

- openSUSE:Backports:SLE-15-SP2/gtkpod  2.1.5
- openSUSE:Backports:SLE-15-SP3/gtkpod  2.1.5
- openSUSE:Backports:SLE-15-SP4/gtkpod  2.1.5
- openSUSE:Factory/gtkpod               2.1.5

Upstream AtomicParsley fix:

https://github.com/wez/atomicparsley/commit/d72ccf06c98259d7261e0f3ac4fd8717778782c1#diff-47c4382cef19abad2635cc53f8efcb5741ce4e3de2dda88a4660afede02c40d1

I cannot reproduce the issue in gtkpod using the upstream reproducer [0], so please double check if we are affected.

[0]
https://github.com/wez/atomicparsley/files/6806091/2021-05-04-09_21_45_0xf6b390a1_0xb1c1261c.zip